Skip to content

Security Programs

Infosec

Link Notes
Information Security Services functions Each section within the Information Security Services function is compromised of numerous departments, each with their own functions to support the larger department

Product / DevOps

Link Notes
Netflix The Paved Road at Netflix
Netflix Netflix Culture Meets Product Security
  1. Security is the responsibility of each individual product team
  2. Security is the responsibility of the security team
Netflix Scaling Appsec at Netflix
  1. Operational Appsec capabilities: traditional Appsec activities
  2. Security Partnerships: driving holistic security improvements to drive down risk
  3. Appsec Automation: build a comprehensive app inventory and enable self-service security guidance
Cruise Building a Container Platform at Cruise Environments & Tenants, Infrastructure Boundaries, Platform Boundaries
Cruise Container Platform Security at Cruise Identity, Authentication, Authorization, Secrets, Encryption
Cruise Container Platform Networking at Cruise GCP Hybrid Connectivity Options
Security maturity levels of Product Security Teams Grouping dev teams into 4 security maturity levels

AppSec Specific

Link Notes
An opinionated guide to scaling your company's security Clint's talk summarising approaches from multiple companies
Uber The Path to Code Provenance Strategy for ensuring we have a verifiable attestation of the origin of all code running in production
The Art of Vulnerability Management How to create a positive vulnerability management culture and process that works for engineers and the security team
Beyond The Security Team
Implement Security Champions Programme Main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes
How we run our bug bounty program at Segment
A Guide to Threat Modelling for Developers Clear and simple steps to help teams that want to adopt threat modelling
Awesome Threat Modeling
Appsec Development: Keeping it all together at scale
  1. Project Risk assessment: Help teams manage risk to their timeline and help security schedule penetration tests
  2. Security Impact Assessment: Let teams quickly exit the review process without the need for peer review
  3. Risk Assessment: Identify potentially risky items with peer review
  4. Threat Model: Analyze risky designs and create mitigations
Creating Security Decision Trees With Graphviz

Risk / Compliance

Link Notes
The SOC2 Starting Seven 7 things you can do now that will simplify SOC2 for you down the road while making security posture materially better in the immediacy
Cybersecurity and the Board : A Fresh Perspective? How to represent cybersecurity (or technology / information risks more generally) to the Board
Prioritizing Cloud Risk Requires Context to be Effective Prioritizing risk mitigation based on CIS output alone misses something critical: organizational context
Open-Sourcing riskquant, a library for quantifying risk
Experimenting with visualizations and code risk overview

Checklists